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DETAILED ACTION 

1 . A request for continued examination under 37 CFR 1.114, including the fee set forth 
in 37 CFR 1 .1 7(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
1/20/09 has been entered. 

2. The amendment received on 02/02/09 and IDS' received on 2/17/09 and 3/17/09 
have been entered and considered. 

Response to Arguments 

3. Applicant's arguments are essentially directed towards the newly introduced 
limitations. 

4. In particular, applicant arguments that Brownlie in view of Donohue and further in 
view of Chamberlain or in alternative, in view of De Meon does not teach: 
"wherein the accumulated delta is distributed with a version of the security policy to reconstruct a 
previously distributed local customized security policy in one step, wherein the accumulated delta 
represents the combined effect of the series of incremental changes to the security policy." 
Applicant's arguments have been carefully considered but were not found 
persuasive. In particular, the examiner points out that distributing data (i.e. security 
policies in the accumulated delta) with metadata (i.e. a version of the security policy) 
is old and well known in the art of data distribution (DRM content, anti-virus 
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definition, etc.) and in particular, such an implementation wherein there are various 
version of data is available, such as in Brownlie Donohue and Chamberlain or De 
Meon's invention, would have been simply implicit. 
5. Claims 1-9 and 21-31 have been examined. 

The text of those sections of Title 35, U.S. Code not included in this action can be 
found in a prior office action. 



Claim Rejections - 35 USC § 103 

6. Claims 1-2, 5, 7-8, 21-31 are rejected under 35 U.S.C. 103(a) as obvious over 
Brownlie et al. (U.S. Patent No. 6202157) in view of Donohue (U.S. Patent No. 
6199204) and further in view of Chamberlain (U.S. Patent No. 6438749) or, in 
alternative, in further view of De Meno et al. (U.S. Publication 2001/0029517). 
As per claims 1-2, 5, 7-8, 21-22, 24, 26-27, 29-31 Brownlie et al. teach a policy 
manager, coupled to a network, including a database for storing a security policy 
including a plurality of rules and a policy distributor, coupled to the database, for 
distributing the plurality of rules through the network (Brownlie et al., col. 3 lines 25- 
34, line 54-col. 4 line 2), a security engine located on a client coupled to the network, 
for storing a set of the plurality of rules constituting a local customized security policy 
received through the network from the policy distributor and for enforcing the local 
customized security policy with respect to an application at the client (Brownlie et al., 
col. 4 lines 16-43, 51-52 and col. 5 lines 1-5), an application, coupled to the security 
engine application rather than being embedded in the application (Brownlie etal., 
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Fig. 1 node 22, col. 4 lines 47-50 and col. 7 lines 43-49) and the security policy 
including a plurality of rules for controlling access to securable objects (Brownlie et 
al., col. 7 lines 1-22). 
7. As per determining incremental changes applicable to the security engine, the 
examiner points out that computing environments are subject to constant changes 
that are the result of continuing evolution of corporate administrative structure as 
well as software advancement. In addition to ever changing corporate structures as 
well as security requirements, software itself evolves (for example it changes and is 
replaced) setting new requirements for user interactions. 
This notion is also recognized by Brownlie etal. who anticipate a series of 
incremental changes to a security policy (Brownlie et al., col. 1 lines 54-56, line 2 
lines 29-30, col. 7 lines 50-54 etc.). 

However, Brownlie etal. is silent in regard to the specific implementation of 
incremental changes to a security policy. Specifically, Brownlie et al. do not disclose 
that updates involve keeping track of a series of incremental changes, computing an 
accumulated delta that reflects the series of incremental changes and sending the 
accumulated delta to the subject implementing the changes (the security engine) 
from a distributor (the policy manager) such that the subject uses the delta to update 
the current setting (the current local customized security policy). 
Donohue discloses the process of updating computing systems that involves 
keeping track of a series of incremental changes (Donohue, col. 7 line 59-col. 8 
Iine10 and Fig. 2) computing an accumulated delta that reflects the series of 
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incremental changes (e.g. col. 7 line 66-col. 8 line 2 and col. 9 lines 44-58) and 
sending the accumulated delta to the subject implementing the changes from a 
distributor such that the subject uses the delta to update the current setting 
(Donohue, col. 4 line 23-28). It would have been obvious to one of ordinary skill in 
the art at the time of applicant's invention to compute an accumulated delta that 
reflects the series of incremental changes and send the accumulated delta to the 
subject implementing the changes from a distributor such that the subject uses the 
delta to update the current setting giving the benefit of more efficient updates of 
security policies while saving network bandwidth. 

(Note that Donohue's invention was used just as an example. However using the 
accumulated delta concept is old and well known in the art, see Flynn et al., (U.S. 
Patent No. 5347653), Nachenberg et al. (U.S. Patent No. 6167407), etc.) 
8. Additionally, the examiner points out that each change to a security policy (whether 
incremental or not) inherently includes one ore more rule changes in a security 
policy and, as per keeping track of incremental changes in network environment, it is 
infeasible to ensure that incremental changes are implemented by all subjects 
(clients with security engines) at the same time. For example, in addition to subjects 
available for updates, some may be shut down (e.g. a user taking vacation) and 
some may not be even in a distributor network (e.g. a user taking a laptop for a 
business trip). As a result, comprehensive updates to already present policy must 
account for the time difference that results in a different set of incremental changes 
distributed to policy subjects. Thus, it would have been obvious to one of ordinary 



Application/Control Number: 10/017,368 Page 6 

Art Unit: 2434 

skill in the art at the time of applicant's invention to keep track of incremental 
changes that would allow computation of an accumulated delta that reflect the series 
of incremental changes (for a particular subject) distributed to a particular subject 
given the benefit of a comprehensive update of each subject using a minimum of 
network bandwidth and a flexible update schedule. 

9. Furthermore, there are essentially only a few possibilities to update current 
configuration (such as policies) in order to reflect the most current desirable state 
(the most current overall configuration), which could include multiple intermediate 
updates. The newest most current overall configuration settings could be used to 
overwrite the current configuration. The changes could be implemented gradually, or 
only the difference (delta) between the current and most updated overall 
configuration could be installed. (The last one reads on the claimed limitations) Any 
of these implementations, are obvious variations of each other. However, taking in 
consideration time and network bandwidth required to deliver and update all network 
subjects, the delta implementation would have been the most obvious choice. 
Transferring less data via network minimize the use of the network bandwidth and 
less data to install speeds up the update process and minimize possibility of errors. 

1 0. Brownlie et al. in view of Donohue do not suggest using the accumulated delta to 
reconstruct a previous state (e.g. the previously distributed locate customized 
security policy). 
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De Meno discloses using the accumulated delta to reconstruct a previous state (De 
Meno [0023]). Also, Chambelian discloses using the accumulated delta to 
reconstruct a previous state (Chambelian, Fig. 4 and 5, and associated text). 
It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to use the accumulated delta to reconstruct a previous state given the 
benefit of returning the system to the previous state if the updating the local 
customized security policy with the accumulated delta result in failure or abortion. 

1 1 .Although in Fig. 1 , Brownlie et al. discloses only one set of a security 

engine/application being guarded by a access authorization service set, Brownlie 
clearly discloses that there may be more than one client 22. Thus, different client 
have different set of a security engine/application being guarded by different access 
authorization service. Specifically, Brownlie teaches that "the system 10 also 
includes a plurality of network nodes 22 that have access to the public directory 20 
through a network link 24" (Brownlie etal. col. 4 lines 16-18). Clearly, applications 
on different clients read on separate applications and by virtue of residing on 
different clients that have different security engines, these separate applications 
clearly do not share the same authorization services. 

1 2. As per newly introduced limitation, the examiner points out that distributing data (i.e. 
security policies in the accumulated delta) with metadata such as a version of the 
distributed data (i.e. security policy) is old and well known in the art of data 
distribution (see DRM content anti-virus definition, etc.) and in particular, such an 
implementation wherein there are various version of data is available, such as in 
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Brownlie Donohue and Chamberlain or De Meon's, such an implementation would 
have been obvious to one of ordinary skill in the art at the time of applicant's 
invention given the benefit of providing information about the distributed data. 

13. As per claims 25 and 29 Brownlie et al. changes inherently include one or more of 
adding, deleting and amending. 

14. As per claims 22-23 and 27-28 the table disclosed by Donohue in Fig. 2 reads on a 
policy tracking table. Furthermore, Official Notice is taken that it is old and well- 
known practice to store data in a table and using the stored data in reconstruction of 
a computer systems to a previous state. It would have been obvious to one of 
ordinary skill in the art at the time of applicant's invention to reconstruct a computer 
state to the previous version using earlier stored and distributed data given the 
benefit of a quick troubleshooting of problems, potentially introduced by the data. 

15. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Brownlie et 
al. (U.S. Patent No. 6202157) in view of Donohue (U.S. Patent No. 6199204) and 
Chamberlain (U.S. Patent No. 6438749) or, in alternative, De Meno et al. (U.S. 
Publication 2001/0029517), and further in view of Wang (U.S. Patent No. 5956521). 
Brownlie et al. discloses that the policy manager and the policy distributor are hosted 
on a first server (Brownlie et al., col. 3 lines 27-34, 54-56 and 61-63), the security 
engine and the application are hosted on a second node, and the first and second 
node are communicatively coupled to each other through the network (col. 3 lines 
61-63). 
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^S. Brownlie etal. in view o1 Donohue and Chamberlain or, in alternative, De Meno et 
a/.do not explicitly teach that the second node is a server. 
Wang teach a plurality of nodes that are servers (Wang, Fig. 3). 
It would have been obvious to one of ordinary skill in the art at the time of applicant's 
enforceable security policy invention as disclosed by Brownlie et al. in view of 
Donohue and Chamberlain or, in alternative, De Meno et al. into systems with nodes 
that are servers as taught by Wang. One of ordinary skill in the art would have been 
motivated to perform such a modification in order to provide an enforceable flexible 
security policy for each network node including servers. 

17. Claims 3-4 and 9 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Brownlie et al. (U.S. Patent No. 6202157) in view of Donohue (U.S. Patent No. 
6199204) and Chamberlain (U.S. Patent No. 6438749) or, in alternative, De Meno et 
al. (U.S. Publication 2001/0029517), and further in view of TRCKA etal. (U.S. Pub. 
No. 20010039579) and Microsoft Press (Computer Dictionary, 3rd Edition. ISBN: 
157231446XA, 1997). 

Brownlie et al. in view of Donohue and Chamberlain or, in alternative, De Meno et 
a/.disclose the security engine as discussed above. 

As per claims 3, Brownlie et al. teach the security engine for evaluating a request to 
access the application based on the set of the plurality of rules and the application 
and the engine to communicating (Brownlie etal., col. 4 lines 47-50 and col. 7 lines 
43-49). 
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W.Brownlie etal. in view oiDonohue and Chamberlain or, in alternative, De Meno et 
a/.do not explicitly teach an application programming interface (API) for enabling 
communication between the application and the engine. 
TRCKA etal. teach utilizing API in communication [101]. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to provide API for enabling communication between the application and the 
engine as taught by TRCKA et al. One of ordinary skill in the art would have been 
motivated to perform such a modification in order to code efficiency by allowing 
significant amount of code to be re-used [103]. 
1 9. Microsoft teaches a plug-in (Microsoft Press, pg. 370). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to incorporate a plug-in API as taught by Microsoft. One of ordinary skill in 
the art would have been motivated to perform such a modification in order to provide 
additional functionality (Microsoft, pg. 410). 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Peter Poltorak whose telephone number is (571 ) 272- 
3840. The examiner can normally be reached Monday through Thursday from 9:00 
a.m. to 4:00 p.m. and alternate Fridays from 9:00 a.m. to 3:30 p.m. 



Application/Control Number: 1 0/01 7,368 Page 1 1 

Art Unit: 2434 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kambiz Zand can be reached on (571) 272-381 1 . The fax phone number 
for the organization where this application or proceeding is assigned is (571) 273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 

/Peter Poltorak/ 

Examiner, Art Unit 2434 

/Kambiz Zand/ 

Supervisory Patent Examiner, Art Unit 2434 



